I'm using Stunnel 4.18. I would like to disable SSLv2, but allow SSLv3 and TLSv1. Is this currently possible in Stunnel?
I've tried two things so far: first I tried to use the option
options = SSL_OP_NO_SSLv2 (from "man SSL_CTX_set_options")
It didn't work. This is what I got:
2006.10.27 18:32:48 LOG7[6358:3082897088]: Snagged 64 random bytes from /root/.rnd 2006.10.27 18:32:48 LOG7[6358:3082897088]: Wrote 1024 new random bytes to /root/.rnd 2006.10.27 18:32:48 LOG7[6358:3082897088]: RAND_status claims sufficient entropy for the PRNG 2006.10.27 18:32:48 LOG7[6358:3082897088]: PRNG seeded successfully file /etc/stunnel/stunnel.conf line 18: Illegal SSL option
Nothing gets logged, the above is the response to the startup command.
The other thing I tried, though I really didn't expect it to work, was replacing the "options" option with
sslVersion = SSLv3 TLSv1
This option seems to accept only one version at a time, or alternatively all of them with "all" on the right hand side, so this failed, stunnel didn't start.
Any suggestions? The only thing I can think of is that the SSL option SSL_OP_NO_SSLv2 is something that should have been when configuring the OpenSSL installation, and since I have a readily wrapped package, it has not been included there. In that case I could install OpenSSL from the scratch. But before I try that, I thought I would ask if somebody were already familiar with the problem.
Tommi Nieminen
--------------------------------------------------- Here is the stunnel config file I was using:
CAfile = /etc/stunnel/root-cert.pem cert = /etc/stunnel/device-cert.pem key = /etc/stunnel/device-key.pem
output = /var/log/stunnel/stunnel.log pid = /var/run/stunnel/stunnel.pid debug = 7 client = no
[https] accept = 443 connect = 192.168.10.17:5010 verify = 1 options = SSL_OP_NO_SSLv2 ;sslVersion = SSLv3 TLSv1